When Twitter launched Vine, the app had access to Facebook's Friends API, which let Vine users see which of their Facebook friends were using the then-new app. But after approval from Zuckerberg himself, that access was cut off. "Unless anyone raises objections, we will shut down their [Vine's] Friends API access today. We've prepared reactive PR, and I will let Jana know our decision," Justin Osofsky, Facebook's vice president of global operations and media partnerships, said in an email at the time. Zuckerberg replied, "Yup, go for it."
The UK's Digital, Culture, Media and Sport Committee is using this is an example of Facebook's anticompetitive nature, which is further highlighted in more of the internal files. In November 2012, in an email about reciprocity and data value, Zuckerberg talked about how Facebook's goal was to let people "share everything they want." Developers on the site, he said, could build apps to let users do exactly that, but Facebook needed to be wary of them becoming a competitor in the social media space.
"Sometimes the best way to enable people to share something is to have a developer build a special purpose app or network for that type of content and to make that app social by having Facebook plug into it," Zuckerberg said. "However, that may be good for the world but it's not good for us unless people also share back to Facebook and that content increases the value of our network. So ultimately, I think the purpose of platform -- even the read side -- is to increase sharing back into Facebook."
"I just can't think [of] any instances where that data has leaked from developer to developer and caused a real issue for us. Do you have examples of this?" -- Facebook CEO Mark Zuckerberg
Although Zuckerberg may have changed his views on the world since then, it's clear that at the time all he cared about was what was good for Facebook and not anyone else. But that's something he's probably thinking more about today, as his company continues to face scrutiny over its mishandling of user data -- especially after the Cambridge Analytica data-privacy scandal from earlier this year. In 2012, however, Zuckerberg dismissed the risks of sharing user data, since it seems he couldn't imagine that the incident caused by Cambridge Analytica was even possible.
In October 2012, Zuckerberg sent an email to Sam Lessin, Facebook's former director of product management, to say he was getting "more on board" with locking down some access to developers on the site, including Friends data and email addresses for mobile apps. That said, Zuckerberg told Lessin he was "generally skeptical that there is as much data leak strategic risk as you think," and that he agreed there was "a clear risk on the advertiser side" but hadn't figured out how that related to the rest of the Facebook platform. "I think we leak info to developers," Zuckerberg added, "but I just can't think [of] any instances where that data has leaked from developer to developer and caused a real issue for us. Do you have examples of this?"
Of course, as we now know, that's basically what happened with Cambridge Analytica after it took people's data without Facebook's knowledge and then used it for political research. Unfortunately for Facebook and its users, that example Zuckerberg wanted came too late. Around the same time, the Facebook CEO discussed selling user data to developers who spent money on the site.
"If we make it so devs can generate revenue for us in different ways, then it makes it more acceptable for us to charge them quite a bit more for using platform," he said. "The basic idea is that any other revenue you generate for us earns you a credit towards whatever fees you own us for using platform. For most developers this would probably cover cost completely. So instead of every [developer] paying us directly, they'd just use our payments or ads products." Zuckerberg said the basic model for that could be letting developers use the Login with Facebook API for free (as it is today), but if they wanted access to things like someone's Friends list, then they'd have to pay $0.10 per user every year.
The emails seized by the UK Parliament also allege that Facebook thought about bypassing an Android permission screen that would ask for access to people's call logs, which would obviously be a strong violation of users' privacy. Here's a concerning email exchange between two Facebook executives from February 2015:
"Hey guys, as you know all the growth team is planning on shipping a permissions update on Android at the end of this month. They are going to include the 'read call log' permission, which will trigger the Android permissions dialog on update, requiring users to accept the update. They will then provide an in-app opt in NUX for a feature that lets you continuously upload your SMS and call log history to Facebook to be used for improving things like PYMK, coefficient calculation, feed ranking etc. This is a pretty high risk thing to do from a PR perspective but it appears that the growth team will charge ahead and do it."
The reply is even worse:
"The Growth team is now exploring a path where we only request Read Call Log permission, and hold off on requesting any other permissions for now.
Based on their initial testing, it seems this would allow us to upgrade users without subjecting them to an Android permissions dialog at all. It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen."